Januar 4, 2020

No app is an island: The malware dangers of libraries and APIs

Joel Snyder

Every application depends on other software to work. It’s not just the operating system, but an entire ecosystem of libraries and Application Programming Interfaces (APIs) that speed the process of developing and delivering all modern applications. From a software developer’s point of view, the wide variety of libraries and packages available is an amazing accelerator. It’s code that doesn’t have to be written and debugged and maintained because someone out there is already doing that work. But it can also be an accelerator for malware.

For example, let’s suppose you need to know how many hours are between two dates. If you’re a programmer, you can definitely figure this out. First, you convert the date (like “January 16, 1964”) to some standard format. Do the other date, and then subtract the two. The answer might be in seconds, so you’d divide that by 3600, and boom, there’s your answer. Except that we’re now talking about thousands of lines of software to do all of that work.

Or, you can take the easy way out: Find a library with some time-and-date API you can call to hand over a couple of dates and do the subtraction. That’s not just easy — it’s actually better, because you can use a library that has been tested and debugged and is based on hundreds of hours of someone else’s work, probably doing an excellent job at solving the problem.


Do APIs pose security risks?

For an IT manager, though, this style of software development comes with increased complexity and security risks. Why? Because when you install an application from developer X, you aren’t just installing software from X. You’re also installing libraries and APIs from A, B, C, D, E and F. And that can bring potential problems. First, each of these libraries and APIs may have bugs that can open the door to system compromise and security failure.

Second, the libraries and APIs are generally large compared to the amount of code that is actually needed. For example, a date-time library has more than 100 functions in it. And even if only one of those functions is needed, the entire library is loaded when even one of the routines is ever called. More code equals more potential for security problems.

It’s not just a theoretical problem. In October 2019, security researchers discovered that WhatsApp was using a library called “libpl_droidsonroids_gif.” That library has a memory allocation error in it (called a “double-free” bug). Combining that bug with a complementary bug in WhatsApp, and the researchers discovered several small holes that can be used to compromise Android versions 8.1 and 9.0.


What can be done about it?

Is this a problem? What can an IT manager actually do about these libraries that are hitchhiking on their applications? The unfortunate answer is, “not much.” But there are some things to keep in mind when users want to install applications on their mobile devices.

  1. Just because the software developer is trusted and trustworthy doesn’t mean that the entire software supply chain is uncompromised. Treat every application, even ones from trusted vendors, as a potential security problem. Tools such as Android for Work and Knox Platform for Enterprise help to isolate applications and data, reducing the risk when security is compromised.

  2. Use your Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) tools to control application installation. For example, restricting application installations to the Google Play Store or requiring that Google Play Protect be enabled can help reduce the risk of malware making a beachhead on your mobile devices.

  3. Using approved application lists is a radical step, but in high-security environments or those where the costs of compromise are very high, it may be the right step — again, managed through your MDM/EMM tools.

  4. Remove applications, especially applications that are not being regularly updated, from your mobile devices when they are not being used. If someone loads a car rental app on their mobile device because they want to rent a car, that’s fine. But if that’s a one-off and they normally use a different rental car agency, get rid of that application.

  5. If you’re also developing applications, encourage your development team to work with native Android APIs rather than third-party libraries. That’s not a promise that API compromise won’t happen, but it means you’re traveling a broader road with many more application developers, and many more eyes are looking at that code — which usually speeds security updates.

Today’s mobile device landscape is dotted with security landmines, and businesses and their employees can never be too cautious about what’s happening inside smartphones or tablets. See how Samsung Knox can help you navigate this landscape.

[Icon] schließen

Erste Schritte mit Samsung Knox

[Icon] Koffer
Sind Sie Fachhändler, Lösungsanbieter oder Serviceanbieter?

Werden Sie Knox Partner und bauen Sie Ihr Geschäft noch heute aus.

[Icon] Info

Wählen Sie ein Knox-Produkt aus, mit dem Sie beginnen möchten:

Knox Suite
Rebranding und Anpassung
Knox Configure
Schutz vor Betrug und Diebstahl
Knox Guard
Samsung Care+ for Business
Sonstige Produkte und Leistungen

Erste Schritte mit

[Image] Knox Suite

Komplettlösung für Unternehmensmobilität.

  • Sichern Sie sich eine kostenlose 90-Tage-Testversion für bis zu 30 Geräte.
  • Eine vollständige Auswahl an Tools für die Sicherung, Bereitstellung, Verwaltung und Analyse der Geräte Ihres Unternehmens.
  • Testen Sie die leistungsstarken Funktionen der Knox Suite.

Knox Suite umfasst:

Knox Mobile Enrollment Kostenlos
Knox Manage
Knox Asset Intelligence
Knox Platform for Enterprise Kostenlos
Fernsupport für Knox
Knox Capture
Knox Authentication Manager

Erste Schritte mit

[Image] Knox Configure-Logo

Umbenennen und Anpassen Ihrer Samsung Geräte.

  • Sichern Sie sich eine kostenlose 90-Tage-Testversion für bis zu 30 Geräte.
  • Konfigurieren Sie mehrere Samsung Geräte gleichzeitig per Fernzugriff und passen sie die Geräte an Ihre persönlichen Bedürfnisse, damit sie sofort einsatzbereit sind.
  • Richten Sie Ihre Geräte für eine einmalige Bereitstellung ein, oder aktualisieren Sie sie so oft Sie möchten.

Erste Schritte mit

[Icon] Knox Guard-Logo

Betrugs- und Diebstahlschutz für Samsung Geräte.

  • Sichern Sie sich eine kostenlose 90-Tage-Testversion für bis zu 30 Geräte.
  • Geringere finanzielle Risiken und Schutz Ihrer Vermögenswerte durch Fernsteuerung von Samsung Geräten.
  • Testen Sie alle Funktionen von Knox Guard, einschließlich der SIM-Steuerung oder der Gerätesperrung.

Erste Schritte mit

[Image] Samsung Care Plus For Business-Logo

Geräteschutz-Tarife für Ihre Geräte von Samsung.

  • Verringern Sie Betriebsunterbrechungen mit schnellen Reparaturen und Austausch von Geräten. Wenden Sie sich zum Durchstarten an das Samsung Vertriebsteam.
  • Alle Informationen über die Abdeckung und Ihre Ansprüche an einem zentralen Ort einsehen.
  • Sie haben Samsung Care+ for Business bereits gekauft? Erstellen Sie ein Konto und aktivieren Sie einen Tarif über die Samsung Care+ for Business-Konsole.

Sonstige Produkte und Leistungen

[Image] Sonstige Logos

Moderne Lösungen für Ihre individuellen Ansprüche.

  • Profitieren Sie von effizientem technischen Support durch einen fest zugeordneten Kundenbetreuer mit Enterprise Tech Support.
  • Erstellen Sie maßgeschneiderte Geräte für Ihr Unternehmen mit dem Samsung Software Customization Service.